FactoryAssistant
/
back-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

修复 sql注入漏洞 #4393

Browse Source
dev
zhangdaiscott 3 years ago
parent f94c5e1f3f
commit 0fc374de47
2 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File

9
jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
Unescape View File

@ -3,6 +3,7 @@ package org.jeecg.common.util;
import cn.hutool.crypto.SecureUtil;
import lombok.extern.slf4j.Slf4j;
import org.jeecg.common.exception.JeecgBootException;
import javax.servlet.http.HttpServletRequest;
import java.lang.reflect.Field;
import java.util.Set;
@ -21,7 +22,7 @@ public class SqlInjectionUtil {
* 线 20200501
*/
private final static String TABLE_DICT_SIGN_SALT = "20200501";
private final static String XSS_STR = "and |extractvalue|updatexml|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()";
private final static String XSS_STR = "and |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()";
/**
* user()
@ -33,7 +34,7 @@ public class SqlInjectionUtil {
/**
* sql
*/
private final static Pattern SQL_ANNOTATION = Pattern.compile("/\\*.*\\*/");
private final static Pattern SQL_ANNOTATION = Pattern.compile("/\\*[\\s\\S]*\\*/");
/**
* sign
@ -167,7 +168,7 @@ public class SqlInjectionUtil {
*/
//@Deprecated
public static void specialFilterContentForDictSql(String value) {
String specialXssStr = " exec |extractvalue|updatexml| insert | select | delete | update | drop | count | chr | mid | master | truncate | char | declare |;|+|user()";
String specialXssStr = " exec |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract| insert | select | delete | update | drop | count | chr | mid | master | truncate | char | declare |;|+|user()";
String[] xssArr = specialXssStr.split("\\|");
if (value == null || "".equals(value)) {
return;
@ -201,7 +202,7 @@ public class SqlInjectionUtil {
*/
//@Deprecated
public static void specialFilterContentForOnlineReport(String value) {
String specialXssStr = " exec |extractvalue|updatexml| insert | delete | update | drop | chr | mid | master | truncate | char | declare |user()";
String specialXssStr = " exec |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract| insert | delete | update | drop | chr | mid | master | truncate | char | declare |user()";
String[] xssArr = specialXssStr.split("\\|");
if (value == null || "".equals(value)) {
return;

5
jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/security/DictQueryBlackListHandler.java
Unescape View File

@ -1,6 +1,5 @@
package org.jeecg.modules.system.security;
import org.jeecg.common.constant.CommonConstant;
import org.jeecg.common.constant.SymbolConstant;
import org.jeecg.common.util.oConvertUtils;
import org.jeecg.common.util.security.AbstractQueryBlackListHandler;
@ -52,7 +51,9 @@ public class DictQueryBlackListHandler extends AbstractQueryBlackListHandler {
*/
private String getTableName(String str) {
String[] arr = str.split("\\s+(?i)where\\s+");
return arr[0];
// sys_user , (sys_user), sys_user%20, %60sys_user%60 issues/4393
String reg = "\\s+|\\(|\\)|`";
return arr[0].replaceAll(reg, "");
}
}

Write Preview
Loading…
Cancel
Save